Microsoft Internet Security and Acceleration Server 2004 SDK

Filter Requirements for SecureNAT Clients

Application filters can work with Firewall clients and SecureNAT clients. This section describes specific design considerations for filters that must work with SecureNAT clients. For information about designing filters to work with Firewall clients, see Filter Requirements for Firewall Clients.

To handle SecureNAT client connect requests for outbound primary connections, an application filter must register for events originating from a SecureNAT client. Use the fwxSourceNAT value of the FwxFirewallEventSource enumerated type when registering for SecureNAT client events. To handle both Firewall client and SecureNAT client requests, use the FWX_ALL_SOURCES macro.

If a filter will handle inbound connections to SecureNAT clients, including primary connections, a specific protocol must be registered. Use the IFWXFilterAdmin::RegisterProtocol method to register the protocol.

Inbound primary connections can be directed to a SecureNAT client by using the IFWXFirewall::CreatePrivateSession or IFWXFirewall::GetClientSession method. Use IFWXFirewall::CreatePrivateSession when the inbound connection was requested by an application, the SecureNAT client is not known by the Microsoft Firewall service, and no session object has been created. Use IFWXFirewall::GetClientSession only if the filter can assert that the client is configured to be a SecureNAT client of that server.

Use the IFWXSession::BindForClient method to permit SecureNAT clients to receive secondary inbound connections. Data filters that call IFWXSession::BindForClient and then edit addresses passed on a connection should use the fwx_dfpc_NAT value of the FwxDataFilterPriorityClass enumerated type. This places the filter as close to the client as possible, that is, it is the first data filter to receive data from the client. This is important because you want to ensure that the first filter to handle the SecureNAT data is one that is capable of doing so. For more information, see Setting Filter Priorities.

Note  In a publishing scenario, mapping internal SecureNAT addresses for your publishing server to external IP addresses is done by using ISA Server Management or the FPCServerPublishingProperties object.